Solved

Active Directory Lightweight Directory Services (AD-LDS) - What are you using it for, and how?

Posted on 2015-02-24
5
229 Views
Last Modified: 2015-02-26
Hello,

I am working with AD-LDS and am trying to create a single sign-on solution that can be used for web servers / applications / etc....can anyone describe what they are using AD-LDS for and how they're syncing from Active Directory?
0
Comment
Question by:jkeegan123
  • 3
  • 2
5 Comments
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40629445
AD-LDS is not the right tool for that job. If you are looking for single sign-on, you want ADFS.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40629679
Perhaps I was not being clear, I thought that AD-LDS was the right tool here.  What i want to do is combine multiple directories using AD-LDS so that (5) or so Windows domains in different sites that are connected via VPN without trusts can make use of the Single AD-LDS directory that we pull / sync accounts to from each of the 5 domains.  

Am I getting warmer?  :)
0
 
LVL 56

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40629716
*IF* you want single sign-on, no. Windows specifically hardens credential storage on DCs so there is no legitimate way to sync credentials to AD-LDS. Also AD-LDS doesn't have Kerberos support built in like AD-DS. You could create a custom property in AD-LDS (after all, that's why it is there) to store passwords (hashed or otherwise) but you'd be writing your own authentication mechanism to write that property and it would *not* be an SSO experience at all. Because it'd be a custom property and a custom authentication method, there is no way to even enforce that the passwords are the same.

AD-LDS *does* support proxying authentication back into AD-DS but it only does so if AD-LDS is a member server and it only does so to a domain controller on the domain in which the AD-LDS server is a member of. Which would not work with your 5-domain scenario with no trusts, as it would not be able to proxy requests to four of the domains and the DC's not having trusts, would not be able to handle the proxied request.

In short, if you have permissions to sync AD objects, I'm not sure why you wouldn't implement trusts. That'd be a far more efficient process. And for most SSO web scenarios, you'll need ADFS any which way. So I still don't see AD-LDS being the right tool here.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 40634107
Thank you, that was a very succinct explanation for why this will not work.

I REALLY think that the tech community at large SEVERELY misunderstands what AD-LDS can and cannot do...What I learned through this long journey is:  

- Exactly how to work and setup AD-LDS --> It's very useful and cool
- Exactly the nuances to setup Schema differences between domains / partitions.  This was useful in and of itself.
- The tech community enjoys very much posting 75% of their experience and missing the last 25%.  This is probably because most people have no idea exactly what this is capable of.

Thank you VERY much for your help.

I still need to sync passwords between domains, this is more of a service-provider relationship than a true multi-domain scenario where domains can be trusted...do you have any tips on using another tool to do this, perhaps Forefront Identity Management (FIM)?  I see that RACKSPACE, Intermedia, etc...do similar syncs that I'm talking about, where we have to target a specific OU for source accounts (can't take the entire directory, bad idea...) and PCNS (Password Change Notification Service) runs on every DC to notify the provider of the password change.

Do you know of any way to implement something like this?  I'm willing to go down the FIM road, but I need to know if this is the right tool before going on this journey.

Thanks!
0
 
LVL 56

Expert Comment

by:Cliff Galiher
ID: 40634128
FIM can do this and is actually what Microsoft's own implementation of dirsync was built on.
0

Featured Post

Zoho SalesIQ

Hassle-free live chat software re-imagined for business growth. 2 users, always free.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
fine grained password polices 3 41
Authentication of Web Services 3 49
Domain Trusts - Define AD Servers and Sites 9 39
Reseller Hosting 2 40
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
The purpose of this video is to demonstrate how to set up the WordPress backend so that each page automatically generates a Mailchimp signup form in the sidebar. This will be demonstrated using a Windows 8 PC. Tools Used are Photoshop, Awesome…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

912 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now